SSL and TLS Protocols

SSL stands for Secure Sockets Layer and was originally created by Netscape. SSLv2 and SSLv3 are the 2 versions of this protocol (SSLv1 was never publicly released). After SSLv3, SSL was renamed to TLS.

TLS stands for Transport Layer Security and started with TLSv1.0 which is an upgraded version of SSLv3.

Those protocols are standardized and described by RFCs.

OpenSSL provides an implementation for those protocols and is often used as the reference implementation for any new feature.

The goal of SSL was to provide secure communication using classical TCP sockets with very few changes in API usage of sockets to be able to leverage security on existing TCP socket code.

SSL/TLS is used in every browser worldwide to provide https ( http secure ) functionality.

Signaling cipher suite value (SCSV), i.e., it does not actually correspond to a suite of cryptosystems.
Its presence is used to signal some facts or contextual information allowing it to not break existing implementations that just ignore this unsupported cipher suite.

SCSV was created with TLS_EMPTY_RENEGOTIATION_INFO_SCSV in rfc5746 draft. http://tools.ietf.org/html/rfc5746#section-3.3
Usage of a cipher suite value is explained by the fact that some SSLv3 and TLSv1.0 implementations fail to ignore extensions that they do not support, so using a cipher suite allows the bypass of these implementation problems.

Since the handshake uses public key cryptography heavily and this is CPU intensive compared to symmetric ( secret key ) cryptography, the protocol provides ways to reuse existing credentials to reissue new secret keys for new connections ( new TCP connections ) or to renew existing connections.

Browsers use this heavily when connecting to https sites since they open multiple connections to the same site at a time. The first connection does the handshake while all the others use a quick handshake (can be named resumed, abbreviated or restart handshake) allowing saving for both client and server CPU.

These items are then used to create security parameters for use by
the Record Layer when protecting application data. Many connections
can be instantiated using the same session through the resumption
feature of the TLS Handshake Protocol.

This explains difference the between an OpenSSL SSL Connection ( SSL ) and an SSL Session ( SSL_SESSION ) , each SSL Connection runs on its TCP connection and can share the same SSL Session with other SSL connections.

The Client sends a Certificate Verify that is signed by the private key counterpart of its Client public key included in the Certificate with digest algorithm over whole handshake messages so far ( excluding this one of course ).

This proves that this client owns the private key that applies to this specific handshake and hence authenticates the client for this session.